Configuring Auditing for SAS Web Applications

Overview of Auditing

SAS Web applications and other SAS middle-tier services provide auditing features. Depending on the application and its configuration, these auditing features can record all actions performed both by the direct users of the system and by the system itself. Some applications might provide a more complete audit, detailing not only the actions that are performed but also the states of the objects that are affected by those actions.
Log on, log off, and unsuccessful log on attempts create audit records for all deployments. Additional actions that can be audited for SAS Web Infrastructure Platform are described in this section. If a SAS solution is installed, see the solution documentation for information about additional actions that can be audited.

Audit Record Storage

Audit records are stored in the SAS Web Infrastructure Platform database. These audit records are stored in two relational tables, SAS_AUDIT and SAS_AUDIT_ENTRY. Two additional tables, SAS_AUDIT_ARCHIVE and SAS_AUDIT_ENTRY_ARCHIVE, provide archival audit data.
Do not access the tables directly for audit reporting. The SAS Web Administration Console provides an interface for viewing log on, log off, unsuccessful log on attempts, and last user logon information.
Depending on the auditing configuration of the deployed SAS applications, audit records can contain different types of audit information. However, all audit records contain the following information:
  • user ID that performed the audited action.
  • action that occurred. This is stored as an action code.
  • data and time that the audited action occurred.

Guidelines for Auditing the SAS Middle Tier

The auditing process in the SAS middle tier is designed to be efficient for both processing time and storage. However, you might want to limit the number of audited events to minimize any effect on performance and minimize the size of the audit trail. The SAS middle tier auditing features provide the tools to help you balance the need to gather sufficient security or historical records with the ability to store and process it.
Consider these guidelines to make efficient use of the SAS middle tier auditing features:
  • Evaluate the purpose of auditing an action. Make sure that records for an audited action can be used to serve a business purpose.
  • When auditing for security, audit generally and then audit specifically. Analyze the records from general audit options to provide the basis for targeting specific audited actions.
  • When auditing for historical information, audit for actions that are important to your business only. Avoid cluttering valuable audit records with less relevant audited actions. Narrowing the focus to valuable actions also reduces the amount of audit trail administration.
  • Align the audit requirements to the most strictly regulated application. If your SAS deployment includes a number of SAS applications, the applications might have varying requirements. Make sure that the audited actions match the most strictly regulated application.
When auditing is enabled and audit records are generated, the audit trail size increases according to two factors:
  • the number actions that are enabled for auditing
  • how frequently the audited actions are performed
If the SAS Web Infrastructure Platform database becomes completely full and audit records cannot be inserted, the audited actions cannot be successfully executed until the audit trail is purged. The system administrator must control the rate of increase and size of the audit trail. To control the size of the audit trail, consider the following strategies:
  • Be selective about which actions are enabled for auditing. If the number of audited actions is reduced, then unnecessary and useless audit records are not generated and are not stored in the audit trail.
  • Design archive rules to move important, but not critically important, information out of the audit trail. This process archives the audit records of interest and removes them from the main audit table. For information about archiving, see Archive Process for Audit Records.
  • Purge the audit archive tables as needed.

Enable Auditing for Additional Services

All SAS products that include the SAS Web Infrastructure Platform provide audit records for logon, log off, and unsuccessful log on attempts. Other standard services can also be audited:
  • mail service
  • content service
  • job execution service
  • workspace service
  • scheduling service
  • impersonation service
To enable auditing for any of these services, follow these steps:
  1. Edit the
    SAS-install-dir\SASWebInfrastructurePlatform\9.3\Static\wars\sas.wip.services\WEB-INF\spring-config\aop-config.xml file.
  2. Review the comments to locate the service that you want to audit. Each of the services is commented out in the initial deployment. The following example shows the job execution service: 
    <!-- Job Execution Service auditing 
<bean class="com.sas.svcs.aop.auditing.jes.SuccessfulSubmitJobAuditAdvice">
     <property name="auditRecorder" ref="auditService" />
</bean>
  3. Add closing comment markup and then remove the original closing comment markup (––>) from the bottom of the code block. Save your changes.
  4. Rebuild the SAS Web Infrastructure Platform with the SAS Deployment Manager.
    Note: Subsequent upgrade activities can overwrite this file. For example, if you later install a maintenance release that includes aop-config.xml, then you must repeat this procedure.
  5. Redeploy the SAS Web Infrastructure Platform Services Web application (sas.wip.services9.3.ear).
Enabling auditing for other SAS applications requires editing different files, but the steps are similar to the previous procedure. For example, auditing for SAS Workflow is controlled with the SAS-install-dir\SASWebInfrastructurePlatform\9.3\Static\wars\sas.workflow\WEB-INF\spring-config\aop-config.xml file.

Archive Process for Audit Records

Once the audit features are enabled, records are added to the SAS_AUDIT and SAS_AUDIT_ENTRY tables. The records can be archived to the SAS_AUDIT_ARCHIVE and SAS_AUDIT_ENTRY_ARCHIVE tables. An archive job is used to control which records to archive. The archive job reads the archive rules in the SAS_AUDIT_ARCHIVE_RULE table. The archive job always starts when SAS Web Infrastructure Platform Services starts. In addition, the default archive job is scheduled to start every Monday at the start of day, but the archive job schedule can be configured.
The following table describes the columns in table SAS_AUDIT_ARCHIVE_RULE. Rows must be added to this table to identify the objects, actions, and age for the archive job to process.
SAS_AUDIT_ARCHIVE_RULE Column Description
Column Name
Description
OBJECT_TYPE_ID
Object type. Each object type is assigned an ID in table SAS_TYPE_OBJECT.
ACTION_TYPE_ID
Type of change. Each action type is assigned an ID in table SAS_TYPE_ACTION.
FREQUENCY_NO
A numeric value in milliseconds. Records that meet the criteria for OBJECT_TYPE_ID and ACTION_TYPE_ID, and are also older than this value, are archived.
To control the archive job schedule, you can add a JVM option to the Web application server. The -Dsas.audit.archive.cron JVM option can be used to specify the schedule. The schedule is set with a syntax that is similar to cron: 
-Dsas.audit.archive.cron="second minute hour day_of_month month day_of_week"
The following example schedules the archive job to run each day at midnight: 
-Dsas.audit.archive.cron="0 0 0 * * *"
You can confirm the archive job runs and reads the archive rules by adding a logging context to com.sas.svcs.audit at the INFO level.
The following table identifies the common object types and actions that you might want to include in the SAS_AUDIT_ARCHIVE_RULE table:
Common Audit Object Types and Actions
Audit Action
Object Type ID Value
Action Type ID Value
User log on
-1
8
Use log off
-1
9
Sent E-mail
-1
44
Add job
11
0
Submit job
10
3
Retrieve job
11
45
Cancel job
10
47
Release job
10
48
Update job
11
1
Remove job
11
37
Start scheduled job
86
3
Remove scheduled job
86
37

Purging Audit Records

After auditing has been enabled for some time and the audit archive process runs, you might want to delete records from the SAS_AUDIT_ARCHIVE and SAS_AUDIT_ENTRY_ARCHIVE tables. Purging records that are no longer needed recovers some archival space and facilitates better audit trail management. For information about deleting records from the SAS Web Infrastructure Platform database, see the documentation for the database.
Copyright © SAS Institute Inc. All rights reserved.